Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
When generating package-lock.json, git+https dependencies are resolved to git+ssh.
Expected Behavior
When installing dependencies with the git+https protocol, the resolved versions in package-lock.json should also use the git+https protocol. More generally, the resolved versions should always use the given protocol.
Steps To Reproduce
- Use a fresh installation of NPM (default config)
- Create a project with this
package.json:
{
"name": "test-npm-git",
"private": true,
"version": "never",
"dependencies": {
"noop": "git+https://github.com/coolaj86/noop.js#77ad7f28974dcd87eb0b91be9db9caf544356ad0"
}
}
- Run
npm install in the project
- Observe the
package-lock.json. For me, it looks like this:
{
"name": "test-npm-git",
"version": "never",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "test-npm-git",
"version": "never",
"dependencies": {
"noop": "git+https://github.com/coolaj86/noop.js#77ad7f28974dcd87eb0b91be9db9caf544356ad0"
}
},
"node_modules/noop": {
"version": "1.0.1",
"resolved": "git+ssh://git@github.com/coolaj86/noop.js.git#77ad7f28974dcd87eb0b91be9db9caf544356ad0",
"integrity": "sha512-Ie26MApU6CpCVRyp1GHFSQsY+zKe3uUXqQnu6bW9dYO/Cb1cpp34nvfi69WHpMvxLeG3Bhu9YV9ItP8z5z1HCQ==",
"license": "MIT OR CC0-1.0"
}
},
"dependencies": {
"noop": {
"version": "git+ssh://git@github.com/coolaj86/noop.js.git#77ad7f28974dcd87eb0b91be9db9caf544356ad0",
"integrity": "sha512-Ie26MApU6CpCVRyp1GHFSQsY+zKe3uUXqQnu6bW9dYO/Cb1cpp34nvfi69WHpMvxLeG3Bhu9YV9ItP8z5z1HCQ==",
"from": "noop@git+https://github.com/coolaj86/noop.js#77ad7f28974dcd87eb0b91be9db9caf544356ad0"
}
}
}Environment
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
When generating package-lock.json, git+https dependencies are resolved to git+ssh.
Expected Behavior
When installing dependencies with the git+https protocol, the resolved versions in package-lock.json should also use the git+https protocol. More generally, the resolved versions should always use the given protocol.
Steps To Reproduce
package.json:{ "name": "test-npm-git", "private": true, "version": "never", "dependencies": { "noop": "git+https://github.com/coolaj86/noop.js#77ad7f28974dcd87eb0b91be9db9caf544356ad0" } }npm installin the projectpackage-lock.json. For me, it looks like this:{ "name": "test-npm-git", "version": "never", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "test-npm-git", "version": "never", "dependencies": { "noop": "git+https://github.com/coolaj86/noop.js#77ad7f28974dcd87eb0b91be9db9caf544356ad0" } }, "node_modules/noop": { "version": "1.0.1", "resolved": "git+ssh://git@github.com/coolaj86/noop.js.git#77ad7f28974dcd87eb0b91be9db9caf544356ad0", "integrity": "sha512-Ie26MApU6CpCVRyp1GHFSQsY+zKe3uUXqQnu6bW9dYO/Cb1cpp34nvfi69WHpMvxLeG3Bhu9YV9ItP8z5z1HCQ==", "license": "MIT OR CC0-1.0" } }, "dependencies": { "noop": { "version": "git+ssh://git@github.com/coolaj86/noop.js.git#77ad7f28974dcd87eb0b91be9db9caf544356ad0", "integrity": "sha512-Ie26MApU6CpCVRyp1GHFSQsY+zKe3uUXqQnu6bW9dYO/Cb1cpp34nvfi69WHpMvxLeG3Bhu9YV9ItP8z5z1HCQ==", "from": "noop@git+https://github.com/coolaj86/noop.js#77ad7f28974dcd87eb0b91be9db9caf544356ad0" } } }Environment
npm -v: 8.3.2